CVE-2026-55597 Overview
CVE-2026-55597 is a heap buffer overflow vulnerability in ImageMagick, the widely used open-source image editing and manipulation library. The flaw resides in the JP2 (JPEG 2000) encoder and stems from incorrect handling of arguments, resulting in a heap buffer over-write during image processing. All versions prior to 7.1.2-26 are affected. The vulnerability was fixed in version 7.1.2-26. Exploitation requires local access and user interaction, such as processing a maliciously crafted image, and primarily impacts application availability.
Critical Impact
Processing a crafted image with a vulnerable ImageMagick build triggers a heap buffer over-write in the JP2 encoder, causing memory corruption and application crashes.
Affected Products
- ImageMagick versions prior to 7.1.2-26
- Applications and services embedding vulnerable ImageMagick builds for JP2 encoding
- Linux distributions and container images packaging affected ImageMagick releases
Discovery Timeline
- 2026-07-01 - CVE-2026-55597 published to NVD
- 2026-07-01 - Last updated in NVD database
Technical Details for CVE-2026-55597
Vulnerability Analysis
The vulnerability affects the JP2 encoder path within ImageMagick. When the encoder receives improperly validated arguments, it miscalculates buffer boundaries and writes beyond an allocated heap region. The condition is classified under [CWE-682] (Incorrect Calculation), reflecting a computation error in size or offset handling rather than a missing check on user input alone.
The issue is exploitable locally when a user or automated pipeline invokes ImageMagick to convert or write a JP2 output file. Because the write occurs on the heap, attackers can influence adjacent allocations to corrupt program state, most reliably producing a crash and denial of service. The impact profile emphasizes availability, with confidentiality and integrity impacts not scored.
Root Cause
The root cause is an incorrect calculation in argument handling inside the JP2 encoder. The encoder does not correctly reconcile input dimensions, channel counts, or component parameters with the size of the destination heap buffer. When encoding proceeds, the writes cross the intended boundary and overwrite adjacent heap memory.
Attack Vector
An attacker delivers a crafted image or supplies malicious parameters to a workflow that encodes output as JP2 using ImageMagick. A local user must trigger the conversion, for example through convert input.ext output.jp2 or an application feature that reaches the JP2 encoder. Server-side image processing pipelines that accept user-supplied files and invoke ImageMagick locally are also exposed.
No verified public exploit code is available. The vulnerability is described in the GitHub Security Advisory GHSA-c4v7-w88g-m6c4.
Detection Methods for CVE-2026-55597
Indicators of Compromise
- Unexpected crashes of processes invoking magick, convert, or applications linked against libMagickCore when producing JP2 output
- Core dumps or ASan reports referencing the JP2 encoder call path in ImageMagick
- Presence of ImageMagick binaries or libraries reporting versions earlier than 7.1.2-26
Detection Strategies
- Inventory installed ImageMagick versions across endpoints, servers, and container images and flag any build earlier than 7.1.2-26
- Enable AddressSanitizer or heap protection during testing to surface heap over-write conditions in JP2 encoding workflows
- Review application logs for repeated abnormal terminations of image conversion processes handling untrusted inputs
Monitoring Recommendations
- Monitor process exit codes and segmentation faults for ImageMagick-related binaries in production pipelines
- Alert on new file uploads targeting image processing endpoints followed by process crashes within a short window
- Track package manager events that install or update ImageMagick to verify patched versions are deployed
How to Mitigate CVE-2026-55597
Immediate Actions Required
- Upgrade ImageMagick to version 7.1.2-26 or later across all systems, containers, and dependent applications
- Audit build pipelines and third-party software bundles for embedded vulnerable ImageMagick versions
- Restrict local invocation of ImageMagick on untrusted inputs until patching completes
Patch Information
The issue is fixed in ImageMagick version 7.1.2-26. Refer to the upstream GitHub Security Advisory GHSA-c4v7-w88g-m6c4 for the fix commit and release details. Redistribute or rebuild container images and downstream packages after applying the fixed version.
Workarounds
- Disable the JP2 coder in the ImageMagick policy.xml file if patching cannot be performed immediately
- Avoid encoding output to the JP2 format when handling untrusted or attacker-influenced inputs
- Sandbox ImageMagick execution with restricted user privileges, seccomp, or containerization to limit blast radius from crashes
# policy.xml workaround - block JP2 encoding until upgrade to 7.1.2-26
# Add inside the <policymap> element of /etc/ImageMagick-7/policy.xml
<policy domain="coder" rights="none" pattern="JP2" />
<policy domain="coder" rights="none" pattern="JPC" />
<policy domain="coder" rights="none" pattern="J2K" />
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

